Get our All-New Playbook reflecting real life data from executives of 30 companies that offers a window into how organizations are confronting persistent breach risks stemming from third parties.

Playbook thumbnail.png

We are excited to announce the release of our inaugural Third-Party Security Risk Management Playbook. An inside look at how real companies are managing third party cyber risk. To get this important information we have conducted in-depth interviews with security executives from 30 participating organizations across multiple industries. The Playbook reveals how companies are managing the security risks of their complex digital supply chains and sensitive business partnerships.  Our study identified 14 vendor-neutral capability sets comprising 72 common, emerging, and pioneering practices that firms have implemented to manage third-party security risk. As a study of real-world third-party risk management programs, the Playbook is a valuable tool executives can use to benchmark their own programs and gain insight into pioneering practices other firms are adopting.


The Playbook is a free download and is available here:

Key findings include:

  • The financial services industry is the clear leader: Financial services firms have been actively managing third-party security risk for an average of 6.5 years, nearly 4 years longer than firms in other industries. Financial services firms also are the drivers behind over 60% of the pioneering practices observed in the study.

  • Third-party security risk management is rapidly innovating: Thirty two percent of the third-party risk management practices the study identified are implemented by less than 25% of the study participants. In all cases, these pioneering practices were recently implemented by the adopting firms. The practices leverage objective security data to better understand third-party risk performance and more intelligently allocate and engage risk analysts in assessments.

  • Pioneering firms are hunting for dangerous conditions in their third-party systems: Twenty three percent of respondent companies are proactively identifying severe vulnerabilities in their vendors’ systems and working collaboratively with their vendors to quickly address the issues.

  • Fourth-party awareness is peaking over the horizon: While only 7% of respondent firms are actively tracking their fourth parties (the third parties used by their vendors), an additional 33% stated that they intend to implement capabilities to better manage fourth-party risk within two years, citing regulatory requirements as the primary driver.

“Enterprise risk officers are waking up to the reality that their information risk increasingly resides in the systems of their third parties, beyond the bounds of their own network. You can outsource your systems and operations to third parties, but you cannot outsource your risk,” says Kelly White, RiskRecon CEO and Founder.

Brian Johnson, a CISO consultant and a former CISO of LendingClub, said, “CISOs know that effective third-party security risk management is essential for protecting their enterprise, yet many lack the data necessary to appropriately understand and prioritize third-party risk exposure. The best thinking on solving risk lies within industry, where practitioners are solving real enterprise risk problems every day. The Playbook captures these practices, providing a resource that risk managers can reference in enhancing their programs.”

The capability sets and practices described in our Playbook span three domains: Program Management, Risk Assessment, and Monitoring & Response. The Playbook shows the percentage adoption rate of each practice so that you can quickly identify practices that are common versus pioneering. The pioneering practices, which have a less than 25% adoption rate, largely involve capabilities leveraging objective data to better assess and manage third-party risk performance. “Traditional methods of assessing vendor risk performance using questionnaires reveal the investments companies have made in managing risk.  The pioneering use of objective data reveals how well companies implement and operate their security risk management program,” says Kelly White.

We discovered the initial third-party security risk management framework through roundtable discussions conducted with risk executives throughout the U.S. and the U.K. We then used this framework to conduct detailed interviews of executive owners of third-party risk management programs to arrive at the final Playbook.

Our objective for the Playbook is to provide a practitioners a guide for building and operating your own third-party risk management programs, founded on the community of capabilities and practices developed by your peers. Readers interested in contributing insights and data to the next edition of the Playbook can contact us at

Join The Playbook Discussion:

Playbook Website:

Twitter: @3rdPtyPlaybook  

Hashtag: #3rdPtyPlaybook


Follow RiskRecon:



Twitter: @riskrecon

About RiskRecon

RiskRecon’s continuous monitoring solution delivers risk-prioritized action plans that enable precise, efficient elimination of your most critical third-party security gaps.

Our data-driven SaaS service relies on passive, direct analysis of Internet-facing systems to quantify risks and provide straightforward evidence necessary for remediation. Rather than producing a laundry list of issues, RiskRecon’s custom analytics quantify true risk by determining each system’s issue severity and asset value. Only RiskRecon enables you to build a scalable, third-party risk reduction program that compresses remediation cycle time, improves analyst productivity, and ensures constructive vendor collaboration. Learn more at